New
#1
Win10XPE : How to enable SSH Server with Public Key Authentication
Hello TenForums Friends,
I've been thinking about enabling SSH Server on WinPE for quite some time. I was pleasently surprised to see a thriving community for Win10XPE on this forum. So I took this opportunity to explore further.
Normally for a full fledged modern Windows 10, I would just enable the SSH Server feature. However, I could not do so for Win10XPE. Nor I could find any plugin. Maybe I didn't search hard enough. So I decided to give it a try myself. Let me see how far I can go, that was my approach. I am pleased to say that I could enable the SSH Server and successfully connect from a remote client using public key authentication.
I would like to share my experience and detailed instructions. If you are a developer or a hobbyist who likes tinkering around, this one is definitely for you. Of course, this is a funtime code and shouldn't be viewed as a professional production software.
For brevity, I call SSH Server feature as sshd. I used XPE version 2022-01-07 with Win10 Pro 20H2 x64 source for installing sshd. My host is Win10 Enterprise 22H2 x64.
So, here it goes :
0. Prerequisites and convention :0.1
sshd runs on the top of an existing and functioning Win10XPE. I assume you are already familier with building and using it. Preferably use WinBuilder version released on 2022-01-07 and sourced in 64-bit Windows10 version 20H2.
0.2
I also assume you are familier with SSH and public key authentication technique. You will need a pair of public and private keys generated. Type ed25519 is supported. The command on ssh-client windows is :
ssh-keygen.exe -t ed25519 -f id_ed25519_win10xpe
This will create two files
id_ed25519_win10xpe.pub
: This is the public key file. We will need it in step 3.2 below.
id_ed25519_win10xpe
: This is the private key file. Keep it with you. Do not share this file. We use this file in step 7 below.
0.3
Convention :
%basedir%
: This is the directory on building host whereWin10XPE.exe
is located. This is a buildtime host variable.
%WinDir%
: This is a runtime Win10XPE Environment Variable. Usually it is 'X:\Windows
'.
%programdata%
: This is a runtime Win10XPE Environment Variable. Usually it is 'X:\ProgramData
'.
1. Registry additions :1.1
Create firewall rules file : Create a text filefw-rules-ssh.script
. Paste from the source below :
// fw rules sshd
RegHiveLoad,Tmp_System,%RegSystem%
RegWrite,HKLM,0x1,Tmp_System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules,sshd-udpm,"v2.30|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=22|App=#$pWinDir#$p\system32\OpenSSH\sshd.exe|Name=OpenSSH Server (sshd) udp|Desc=Inbound UDP rule for OpenSSH SSH Server (sshd) over port 22.|EmbedCtxt=OpenSSH Server|"
RegWrite,HKLM,0x1,Tmp_System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules,sshd-tcpm,"v2.30|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=22|App=#$pWinDir#$p\system32\OpenSSH\sshd.exe|Name=OpenSSH Server (sshd) tcp|Desc=Inbound TCP rule for OpenSSH SSH Server (sshd) over port 22.|EmbedCtxt=OpenSSH Server|"
RegHiveUnLoad,Tmp_System
1.2
Add the created file : Now go to WinBuilder, open " Win10XPE --> Additions " panel and tick the 'run this script after' option and choose the above created filefw-rules-ssh.script
. Press the little blue arrow button next to the select dialogue button so as to play the selected script. Please see the pic below :
2. Resources gathering :2.1
OpenSSH package : Download OpenSSH zip file from : https://github.com/PowerShell/Win32-...nSSH-Win64.zip
The webpage is : GitHub - PowerShell/Win32-OpenSSH: Win32 port of OpenSSH
The zip file has only 1 top level folder named : OpenSSH-Win64. Extract this folder alongwith its contents to%basedir%\Custom\x64\AdditionalFiles\Windows\System32
. Rename the folder toOpenSSH
.
2.2
Pecmd files : Create a folderpecmd-files
in%basedir%\Custom\x64\AdditionalFiles\Windows\System32\OpenSSH
. Create two files in the newly created folder. Paste the files's contents from :
file 1 :acl-ssh-tree.txt
source below :
ssh
D:P(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;AU)
ssh\administrators_authorized_keys
D:PAI(A;;FA;;;SY)(A;;FA;;;BA)(A;;FR;;;LS)
ssh\sshd.pid
D:(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;AU)
ssh\sshd_config
D:(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;AU)
ssh\ssh_host_dsa_key
D:P(A;;FA;;;BA)(A;;FA;;;SY)
ssh\ssh_host_dsa_key.pub
D:P(A;;FA;;;BA)(A;;FA;;;SY)
ssh\ssh_host_ecdsa_key
D:P(A;;FA;;;BA)(A;;FA;;;SY)
ssh\ssh_host_ecdsa_key.pub
D:P(A;;FA;;;BA)(A;;FA;;;SY)
ssh\ssh_host_ed25519_key
D:P(A;;FA;;;BA)(A;;FA;;;SY)
ssh\ssh_host_ed25519_key.pub
D:P(A;;FA;;;BA)(A;;FA;;;SY)
ssh\ssh_host_rsa_key
D:P(A;;FA;;;BA)(A;;FA;;;SY)
ssh\ssh_host_rsa_key.pub
D:P(A;;FA;;;BA)(A;;FA;;;SY)
file 2 :pecmd-sshd.bat
source below :
@echo off
mkdir.exe %programdata%\ssh\logs\
(
%WinDir%\system32\sc.exe create sshd binPath= "%WinDir%\system32\OpenSSH\sshd.exe" start= auto DisplayName= "OpenSSH Server for WinPE" obj= .\administrator password= ""
%WinDir%\system32\ntrights.exe -u administrator +r SeServiceLogonRight
%WinDir%\system32\OpenSSH\ssh-keygen.exe -A
%WinDir%\system32\icacls.exe %programdata% /restore %WinDir%\system32\OpenSSH\pecmd-files\acl-ssh-tree.txt /c
%WinDir%\system32\net.exe start sshd
) 1>> %programdata%\ssh\logs\pecmd-sshd.log 2>&1
2.3
ntrights : Download ntrights.zip from here : https://www.tenforums.com/attachment...a-ntrights.zip
Extract ntrights.exe from above zip file and save it to :%basedir%\Custom\x64\AdditionalFiles\Windows\System32
3. Configure OpenSSH files and folders :3.1
Open%basedir%\Custom\x64\AdditionalFiles\Windows\System32\OpenSSH\sshd_config_default
in a text editor such as notepad and save it as%basedir%\Custom\x64\AdditionalFiles\ProgramData\ssh\sshd_config
. After saving continue editing the same file.
Please note that any line starting with # is a comment.
Locate the Logging section and add these two lines :
SyslogFacility LOCAL0
LogLevel DEBUG3
These log options will generate a verbose log useful for debugging ( if needed ). You may leave the old lines commented.
Similarly add this line to Authentication section :
AuthorizedKeysFile %programdata%\ssh\authorized_keys
You need to comment out the old line.
Now save and close the sshd_config file editing.
3.2
Now in a text editor (such as notepad ) open a new blank file named :%basedir%\Custom\x64\AdditionalFiles\ProgramData\ssh\administrators_authorized_keys
Paste the public key file id_ed25519_win10xpe.pub contents ( from step 0.2 ) into the new file, save it and close the editor.
4. Amend pecmd.ini :
Please open file%basedir%\Custom\Pecmdini\pecmd.ini
in a text editor such as notepad. Please locate the line :CALL NetInit
After this add the following line :
%WinDir%\system32\OpenSSH\pecmd-files\pecmd-sshd.bat
Save and close the file.
5. Now all resources are in place. You may build theWin10XPE_x64.ISO
by clicking the BigBlueButton.
6. When the build is complete, you may run the Win10XPE. Use a virtual machine or deploy it to a real machine. Boot the Win10XPE. Do not switch to administrator account. During the logon processes sshd will start automatically. You can check that in next step below.
7. Grab a remote ssh-client. Make sure you have the private key created in step 0.2 above available over there. Open a command prompt and type :
ssh.exe administrator@<ip address or hostname of the Win10XPE> -i id_ed25519_win10xpe
Now you are in Win10XPE's shell atX:\Windows
Enjoy !
Disclaimers :
1. This is a funcode exercise. Please do not use it as a production software.
2. ntrights.exe is an obsolete tool. But it works.
3. Security implications : There could be some. I do not know. Please use this facility at your risk.
Credits :
1. www.tenforums.com : I owe a ton of thanks to TenForums website for obvious reasons. I am using their forum to write this article.
2. Theoven.org : That's how I became interested in building WinPEs.
3. ChrisR : a.k.a. The Legend. His colossal efforts and acute insights made Win10XPE project live and running. The 'Quick Start Guide' he wrote is an extremely useful resource.
4. Kyhi : He is enthusiastically maintaining the project here : Win10XPE - Build Your Own Rescue Media [2]
His tips are indispensible.
5. I am thankful to Win10XPE community members such as APT38, Megahertz, SIW2, doudiii and many more for building a thriving community. That really triggered my sustained interest.
6. Last but not the least, it's me. Yes, I take all the credit for putting all the credits together ! ;-)
Hope you enjoyed my ride. Let me know your views.
Thank you!
-Gamma
Last edited by GammaP; 14 Oct 2022 at 11:53.